W32/Fujacks.aa

This page shows details and results of our analysis on the malware W32/Fujacks.aa

Overview

W32/Fujacks.aa is a copied variant of the W32/Fujacks worm that infects PE and possibly HTML files with malicious hyperlinks of Windows ANI 0-day exploit; and spreads over floppy drive and possibly other removable devices. It will also download additional malware on the infected machine.


Minimum DAT

4998 (2007-04-02)

Updated DAT

5070 (2007-07-09)

Minimum Engine

5400.1158

File Length

Varies

Description Added

2007-04-01

Description Modified

2007-04-01

Malware Proliferation

Characteristics

---Update April 1, 2007---
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.itnewsonline.com/showstory.php?storyid=9182&scatid=6&contid=3

--

W32/Fujacks.aa is a copied variant of the W32/Fujacks worm that infects PE and possibly HTM files with malicious hyperlinks of Windows ANI File Format Handling 0-day exploit; and spreads over floppy drive and possibly other removable devices. It will also download additional malware on the infected machine.

These malicious hyperlinks may be appended as JavaScript, and pointing to these site(s) containing the 0-day exploit:

  • hxxp://{hidden}.microfsot.com/{hidden}.js

More information of the Windows ANI 0-day vulnerability at:

This exploit is already proactively detected as Exploit-ANIFile.c using the current DATs.

Upon execution, it spawns notepad.exe and injects a malicious thread into this process. It also installs itself into %Windir%\System32.

(Where %Windir% is the Windows folder; e.g. C:\Windows)

The worm then contacts hxxp://{hidden}.2007ip.com/{hidde}.css to download a list of files that it can download. At the time of writing, these malware were found to be PWS-LegMir, PWS-Lineage and new variants of W32/Fujacks.aa.

Instead of the usual W32/Fujacks strings used in earlier variants, inside the virus body of each variant contain one or more of these silly messages:

  • "I Hate AVP!!"
  • "Well, Boss will come in !!"
  • "I will by one BMW this year!"

The W32/Fujacks.aa thread in notepad.exe then prepends itself to Win32 PE files. It may also create a copy of itself in A:\tools.exe and A:\autorun.inf to autostart itself.

It creates the following registry key(s) to start itself at boot up time:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    "System Boot Check"="%Windir%\system32\{filename}.exe"

 

Symptoms

  • Presence of the mentioned files.
  • Presence of the mentioned registry keys.
  • PE files increase in file sizes between 10k to 100k or more.
  • HTML files may be appeneded with the mentioned hyperlinks.
  • Unexpected connection to the mentioned server(s).

Method of Infection

W32/Fujacks.aa is a copied variant of the W32/Fujacks worm that infects PE and possibly HTML files with malicious hyperlinks of Windows ANI 0-day exploit; and spreads over floppy drive and possibly other removable devices. It can also be downloaded through another malware or variant.

 

Removal

All Users:
Use specified engine and DAT files for detection.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations

Variants